US Defense Secretary: Backdoor Surveillance is ‘Unrealistic’ #RSAC

SAN FRANCISCO — In a measured, but firm, repudiation of the class of electronic surveillance measures commonly attributed to government agencies under his control, US Secretary of Defense Ashton Carter told a capacity crowd at the RSA Conference here yesterday that he personally was “not a believer in” the implementation of “backdoor” measures to defeat device encryption as part of an investigation. He called such measures “unrealistic.”

Carter declined to comment specifically on Apple Inc. or on the Justice Dept.’s ongoing efforts to compel the company to assist its investigators in cracking an iPhone belonging to one of the late suspects in the recent terror attack in San Bernardino, Calif.

But he was willing to speak at length on the underlying ethical issue: Should the federal government have the power to compel a private manufacturer to disable the security of its own device?

“Speaking for the Dept. of Defense, data security, including encryption, is absolutely essential to us,” he told the audience. “None of our stuff works unless it’s connected. There’s no point in my buying all these planes and ships and tanks, and having soldiers, sailors, airmen and Marines if I can’t connect them.”

The Long National Nightmare is Over

The Secretary’s comments had a special resonance with some of the veteran attendees at RSA. The conference was founded a quarter-century ago by three cryptographers who, for most of their career, championed the cause of the public’s right to secure communications.

Up until just before the turn of the century, RSA Security had engaged in a kind of cold war with government intelligence. The US National Security Agency (NSA) had specifically spoken out against what it perceived as the dangers of an unbreakable encryption scheme in the hands of the general public.

Today, the everyday efficiency of voice-over-IP communications — not just its security — depends upon effective encryption. Carter’s statement represented one of the highest-level affirmations to date of the beneficial role of privately created encryption by a public official directly responsible for state secrets.

“I’m not a believer in backdoors or a single technical approach,” Carter said, just before being drowned out by applause.

“I don’t think that’s realistic. I don’t think it’s technically accurate. The reality is that the problems of data security are many, as you know … and there isn’t going to be one answer. I don’t think we ought to let one case drive a general conclusion or solution.

“And the only way we’re going to get to a good solution is by working together.”

From Secrecy to Coalition

The secretary’s comments came on the day that the Defense Dept. announced the formation of the Defense Innovation Advisory Board. Its task will be to seek opportunities for the Department to coalesce with private companies to build new technologies to be exploited by both the public and private sectors.

“This is going to be some people who are the best technical minds, and spend a little time giving me some advice on how we can be more innovative,” Carter said. “I’m so grateful to Eric Schmidt for his willingness to do this. He’s the perfect chairman for two reasons: First, he’s somebody who obviously is brilliant, and knows the innovative process very well. And second, he’s willing to do it.”

That line drew a bit of laughter. “You can’t take it for granted,” Carter added.

“He cares so deeply about this country and about this world, and he knows that you can’t have everything else — you can’t have freedom, you can’t have innovation, you can’t take care of your families, you can’t have a career — if there isn’t security. So somebody’s got to provide security; it’s a serious business. It’s not a game.”

The 5-Sided Box

Again, the potency of Carter’s comments could be lost out of context with the place and time where they were made. The annual RSA conference has been the epicenter of the public debate on the public’s right to impregnable communications.

While Carter did not say encryption should be allowed to become impregnable, he set a precedent for a Pentagon willing to accept sharing responsibility for protecting the public’s rights, with the private sector. He personally calls this change of mindset, “thinking outside the five-sided box.”

This week, security engineers here at the RSA conference have reiterated an old theory that’s difficult to argue against: If any encryption technology were to be endowed with a kind of “master key” entry system for law enforcement, they believe, communications systems that require perfect forward secrecy for the integrity of packet sent between servers, would be compromised.

Put another way: Ordinary video conferencing systems — including the kind employed by collaboration platforms — might, at some level of stress, fail to work, if a back- or side- or front-door key for the NSA were to become exploited.

During his talk, Carter made the case that a collaborative approach to solving such problems as this is preferable to a situation where a solution is attempted by Congress.

“You can easily think of what the alternatives to a sensible and collaborative approach are,” he said. “One is a law, written by people who won’t have the technical knowledge of the people in this room, maybe written in an atmosphere of anger or grief. And that’s not likely to be the right answer.

“Another alternative, which I don’t like, is the solution is written by another country, like Russia or China. You know what their attitudes towards data freedom and data access are, as well as data security.

"So it’s much better if we do it together… let’s be collaborative, let’s be technical, let’s recognize that this is not one case and one problem — it’s many — and innovate our way to the answer.”

CMSWire is a leading, native digital publication produced by Simpler Media Group, Inc. We provide articles, research and events for sophisticated professionals driving digital customer experience strategy, evolving the digital workplace and creating intelligent information management practices. The CMSWire team produces 450+ authoritative articles per quarter for our 750,000 community members. Join us as a subscriber.